Question No: 331 – (Topic 2)

Which of the following is the MOST important step for preserving evidence during forensic procedures?

Involve law enforcement

Chain of custody

Record the time of the incident

Report within one hour of discovery

Answer: B Explanation:

Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you’re open to dispute about possible evidence tampering. Thus to preserve evidence during a forensic procedure the chain of custody is of utmost importance.

Question No: 332 – (Topic 2)

A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data.

Which of the following types of interoperability agreement is this?

ISA

MOU

SLA

BPA

Answer: A Explanation:

ISA/ Interconnection Security Agreement is an agreement between two organizations that

have connected systems. The agreement documents the technical requirements of the connected systems.

Question No: 333 – (Topic 2)

XYZ Corporation is about to purchase another company to expand its operations. The CEO is concerned about information leaking out, especially with the cleaning crew that comes in at night.

The CEO would like to ensure no paper files are leaked. Which of the following is the BEST policy to implement?

Social media policy

Data retention policy

CCTV policy

Clean desk policy

Answer: D Explanation:

Clean Desk Policy Information on a desk-in terms of printouts, pads of note paper, sticky notes, and the like-can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk.

Question No: 334 – (Topic 2)

Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use?

Email scanning

Content discovery

Database fingerprinting

Endpoint protection

Answer: D Explanation:

Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. DLP systems share commonality with network intrusion prevention systems. Endpoint protection provides security and management over both physical and virtual environments.

Which of the following is the MOST likely reason why the incident response team is unable to identify and correlate the incident?

The logs are corrupt and no longer forensically sound.

Traffic logs for the incident are unavailable.

Chain of custody was not properly maintained.

Incident time offsets were not accounted for.

Answer: D

Explanation:

It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step- by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.

Question No: 336 – (Topic 2)

Matt, a security analyst, needs to implement encryption for company data and also prevent theft of company data. Where and how should Matt meet this requirement?

Matt should implement access control lists and turn on EFS.

Matt should implement DLP and encrypt the company database.

Matt should install Truecrypt and encrypt the company server.

Matt should install TPMs and encrypt the company database.

Answer: B Explanation:

Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. Encryption is used to protect data.

Question No: 337 – (Topic 2)

Which of the following helps to apply the proper security controls to information?

Data classification

Deduplication

Clean desk policy

Encryption

Answer: A

Explanation:

Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. These categories make applying the appropriate policies and security controls practical.

Question No: 338 – (Topic 2)

An administrator wants to minimize the amount of time needed to perform backups during the week. It is also acceptable to the administrator for restoration to take an extended time frame.

Which of the following strategies would the administrator MOST likely implement?

Full backups on the weekend and incremental during the week

Full backups on the weekend and full backups every day

Incremental backups on the weekend and differential backups every day

Differential backups on the weekend and full backups every day

Answer: A Explanation:

A full backup is a complete, comprehensive backup of all fi les on a disk or server. The full backup is current only at the time it’s performed. Once a full backup is made, you have a complete archive of the system at that point in time. A system shouldn’t be in use while it undergoes a full backup because some fi les may not get backed up. Once the system goes back into operation, the backup is no longer current. A full backup can be a time- consuming process on a large system.

An incremental backup is a partial backup that stores only the information that has been changed since the last full or the last incremental backup. If a full backup were performed on a Sunday night, an incremental backup done on Monday night would contain only the information that changed since Sunday night. Such a backup is typically considerably smaller than a full backup. Each incremental backup must be retained until a full backup can be performed. Incremental backups are usually the fastest backups to perform on most systems, and each incremental backup tape is relatively small.

Question No: 339 – (Topic 2)

Various network outages have occurred recently due to unapproved changes to network and security devices. All changes were made using various system credentials. The security analyst has been tasked to update the security policy. Which of the following risk mitigation strategies would also need to be implemented to reduce the number of network outages due to unauthorized changes?

User rights and permissions review

Configuration management

Incident management

Implement security controls on Layer 3 devices

Answer: A Explanation:

Reviewing user rights and permissions can be used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation and their job descriptions. Also reviewing user rights and permissions will afford the security analyst the opportunity to put the principle of least privilege in practice as well as update the security policy

Question No: 340 – (Topic 2)

Which of the following assets is MOST likely considered for DLP?

Application server content

USB mass storage devices

Reverse proxy

Print server

Answer: B Explanation:

Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. A USB presents the most likely device to be used to steal data because of its physical size.